SAS 99 -- 17 ways to protect yourself from malpractice

Congress mandated as Sarbanes-Oxley (SoX) for public companies and their auditors. Think of SAS 99 as SoX for everyone else. SAS 99 became effective for audits of financial statements for periods beginning on or after

December 15, 2002 and applies to audits of all nonpublic entities, private companies, non-profits, government units, etc. The trigger is an audit. The status of the entity is irrelevant. If you don’t follow SAS 99 and miss a fraud, the plaintiff’s attorney will use it as a road map to sue you. So every time you check “no” or “not applicable”, how are you going to answer the bank’s attorney’s question, “Why do you think you’re smarter than the Auditing Standards Board?”

Ignore these at your own risk

Could your audit workpapers withstand the scrutiny that some firms have undergone in the recent scandals? If not, think about these before you finish the field work:

The first problem is the title: Consideration of Fraud in a Financial Statement Audit. SAS 99 doesn’t require you to just think about fraud. It requires you perform the audit differently. So reword your audit programs to force yourself to think about what SAS 99 requires. Consistent wording in your audit programs year after year makes it easy for the plaintiff’s attorney to show you didn’t implement SAS 99 with all its new requirements.

SAS 82 and now SAS 99 still allow and don't prohibit auditor practices that make it easy for clients to commit fraud. For example, it's only suggested that auditors 'consider' surprise procedures. It should be required that you vary procedures to keep the client off balance.

Auditors often tell clients which inventory locations they are going to 'observe'. How much easier can you make it for a client to commit inventory fraud than to tell them which locations you're going to count?

Protect yourself against sloppy language. Remember that every time SAS 99 says a procedure ‘should’ be performed, it MUST be performed.

Don’t make the mistake of firing your riskiest clients, then trusting the remaining clients because of an honest track record. “But I trusted my client,” is NOT a defense. SAS 99 is crystal clear on this point . . . “trust” is NOT an internal control.

Remember that judges and juries can override our rules and standards because GAAP and GAAS do NOT have the weight of LAW. Just because you put all the marks in the right little boxes on the check list does not mean you’ve done a successful audit. For example inventory observations began when McKesson & Robbins’ auditors missed the fact that five Canadian warehouses that were supposed to be full were in fact empty. The managing partner of the Big-8 firm didn’t want to sully the integrity of the CEO by counting the inventory. Sounds silly now, doesn’t it?

Don’t’ fall into the “expectation gap.”’ The expectation gap is the primary cause of malpractice liability. It occurs when you believe that SAS 99 is the maximum level of work required. Thus, you often perform work below the level required. But judges, juries, SEC, etc. have said, over and over again, that audit standards are the minimum level of acceptable performance.

You don’t get a “learning period” to implement SAS 99. Why? Because each year’s audit stands on its own. This is the most dangerous year to audit under SAS 99 because it’s new.

Paragraph 1 of SAS 99 states “the auditor has a responsibility to plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatement, whether caused by error or fraud.” Thus, SAS 99 clearly says that auditors have a positive, affirmative, duty to detect fraud.

SAS 99 says all management frauds are material because they signal that the person lacks integrity, including turning in fake expenses. Further, materiality isn’t just an amount. A small amount also can be material because of the reason it’s there. For example, a small amount is material if it accomplishes something BIG, such as getting the bank loan renewed or maintaining your stock price.

If you don’t pursue the ‘red flags’ of fraud — whether or not they are listed in SAS 99 — odds are you will be held liable for resulting losses.

If you win business or keep clients by promoting your firm as client "financial partners," think how a jury will interpret that. Not a good idea. So review your proposals and marketing brochures.

The cost of audits is on the rise. If your client switches to a compilation or review, the bankers may not notice. Talk to your counsel about adding, in large, bold print, "NOT AN AUDIT OPINION" at the top of your compilation and review reports.

Using desktop publishing, some former clients will create their own fake audit opinion. Talk to your counsel about alerting the bank that you no longer audit the company.

To avoid detection, clients attempt to have everything look ‘normal’. So in contradiction to SAS 99, don’t wait until you have identified a risk of material fraud to perform surprise and other additional procedures. That’s backwards. Perform the procedures to identify the risk.

If you’re conducting the audit for bank loan covenant, minimize your risk by teaching every team member WHY the audit is being done, so they’ll know what to look for.

The final word

Remember, like teenagers getting their driver’s license, getting an audit is a privilege, not a right. The best way to protect yourself and your firm is to select very carefully those with whom you do business. Do NOT accept clients just because they are willing to pay for the work. For example, in the infamous ZZZZ Best Carpet Cleaning fraud, CEO Barry Minkow and CFO Mark Morze picked the auditors because they believed the firm would be the easiest to fool. If you don’t know anything about the potential client’s business, take a pass. In this new environment, the fees are simply not worth the risk.